Microsoft Entra
In the setup steps below, we will be filling out a json
blob with the following contents pulled from your Microsoft Entra portal:
This json
will go into a secrets store for the Teleskope app to use as a reference, and enable authenticating through Microsoft Entra. It's a good idea to copy this blob somewhere locally before we get started.
Setup
Navigate to https://entra.microsoft.com/ and sign into your enterprise's Microsoft dashboard.
On the side navigation menu, select Overview. From here you should see a tenant id of the form
xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
, which you can copy into yourjson
blob's"tenant"
field.Next you will want to register a new application within Microsoft Entra, that will correspond to your Teleskope deployment. On the side navigation menu again, select the Applications dropdown and App registrations.
Select New registration, and name your Teleskope app. There will be a few authentication options, we recommend
Accounts in this organizational directory only (Single tenant)
as the simplest option.Now under Applications/App registrations you should be able to navigate to our newly set up app. Go there next. In the Overview page you should see an
Application (client) ID
, which you should copy into theclient_id
section of our json blob.Under Certificates & Secrets in your app registration page, you will need to create a secret that will be used as part of the auth handshake. Select New client secret, and set a name and expiry. Afterwards, you can copy this secrets value and paste it into the
client_secret
section of our json blob.Still under your app registration page, select API Permissions and click Add a Permission. You will want to set up
delegated
permissions for Microsoft Graph,admin consent
not required. You will need at least theemail
,openid
andprofile
permissions set.We already had this value set in our json blob by default, but with those permissions set we now be able use the
"scope": "https://graph.microsoft.com/.default"
field set, as any logins will redirect to https://graph.microsoft.com to get user profile info.Still under your app registration page, select Manifest and change
accessTokenAcceptedVersion
to 2 within the corresponding json manifestAs a final step in Microsoft Entra under your app registration page, select Authentication and add a redirect URI so that microsoft knows how to callback to your Teleskope instance on logins, as a part of the typical Oauth flow. This redirect uri should be https://teleskope-provided-uri/auth/microsoft/callback or something similar, depending on the url subdomains set up for your Teleskope instance.
Finally this json blob will need to be entered into your teleskope deployment backend or secrets manager. A Teleskope resource can help you with this step or populate it for you.
Clean Up
Note that after this step, you'll want to assign users to your new Teleskope Entra app.
A first/last name in Entra is required for any user logging into Teleskope.